EP3065367A1 - Système et procédé automatisés d'évolution de règles de détection d'hameçonnage - Google Patents

Système et procédé automatisés d'évolution de règles de détection d'hameçonnage Download PDF

Info

Publication number
EP3065367A1
EP3065367A1 EP15163749.3A EP15163749A EP3065367A1 EP 3065367 A1 EP3065367 A1 EP 3065367A1 EP 15163749 A EP15163749 A EP 15163749A EP 3065367 A1 EP3065367 A1 EP 3065367A1
Authority
EP
European Patent Office
Prior art keywords
phishing
rule
detection
data
content
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP15163749.3A
Other languages
German (de)
English (en)
Other versions
EP3065367B1 (fr
Inventor
Maxim G. Koshelev
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kaspersky Lab AO
Original Assignee
Kaspersky Lab AO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kaspersky Lab AO filed Critical Kaspersky Lab AO
Publication of EP3065367A1 publication Critical patent/EP3065367A1/fr
Application granted granted Critical
Publication of EP3065367B1 publication Critical patent/EP3065367B1/fr
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Definitions

  • This invention relates to the field of information security and, particularly, to protecting a personal computer system and its user from fraudulent information-gathering activity commonly known as phishing. More particularly, the invention is directed to automatic development of phishing detection rules based on the use of existing rules.
  • phishing i.e. gaining access to confidential user information through electronic messaging by masquerading as a known or trusted entity, e.g., popular brands, personal messages within various services (for example, within social networks), and creation and registration with search services of sites posing as legitimate sites of banks, Internet stores, social networks, etc.
  • a letter or message sent to users by fraudsters often contains links to malicious sites which look familiar, and often quite similar, to real ones, or to sites from which a transfer to malicious sites will be made.
  • fraudsters using various social engineering techniques, try to cause the user to enter his/her confidential information, which the fraudster then uses to access corresponding user accounts and bank accounts.
  • the user is exposed to the risk of receiving, from a fake site, a malicious application that works unbeknownst to the user to gather various other items of information from the victim's computer and transfer it to fraudsters.
  • One aspect of the invention is directed to automatically developing detection rules for detecting phishing content in incoming data.
  • This aspect is embodied in a system and a method, and in variations thereof.
  • incoming data directed to a destination is obtained. Any indicia of phishing that may be present in the incoming data is detected, with the detecting being performed by application of a plurality of phishing detection rules.
  • a quantitative score for each of a plurality of predefined parameters is determined, with each of the parameters relating to at least one of the phishing indicia, and each quantitative score representing a likelihood of a presence of phishing content in the incoming data for the at least one of the phishing indicia.
  • a requirement is assessed for evolving a phishing detection rule by applying a predefined set of rule evolution criteria to a combination of the determined quantitative scores of a plurality of parameters.
  • a new phishing detection rule is generated based on selected parameter scores meeting the rule evolution criteria and on corresponding content of the phishing indicia relating to those selected parameter scores.
  • the phishing indicia and quantitative score computation is performed recursively based on the new detection rules, as are further assessment of the requirement for rule evolution and generation of new detection rules.
  • Any phishing-related objects are identified based on selected parameter scores exceeding a phishing detection threshold and on corresponding content of the phishing indicia relating to those selected parameter scores.
  • the content relating to the phishing-related objects in the incoming data can be modified to remove or reduce maliciousness of the phishing-related objects.
  • Computer platform an electronic device or system of inter-operable electronic devices containing hardware including one or more processors, data storage, input-output devices; and capable of storing and manipulating information according to software instructions carried out by the hardware. It can be one physical machine, or it can be distributed among multiple physical machines, such as by role or function, or by process thread in the case of a cloud computing distributed model. Examples include desktop or mobile personal computers (PCs), smartphones, and tablets, as well as networking devices, such as routers, switches, and the like. Computing platforms can be stand-alone devices, or embedded devices that are part of a larger device or system.
  • Data capture Obtaining of data being sent to a designated destination by an entity, such as a driver or proxy, that is not the designated destination.
  • Data storage One or more electronic hardware devices that stores data in a physical storage medium. Examples include volatile storage (e.g., random-access memory (RAM), whether static or dynamic), non-volatile storage (e.g., electrically-erasable programmable read-only memory, magnetic disk, etc.).
  • volatile storage e.g., random-access memory (RAM), whether static or dynamic
  • non-volatile storage e.g., electrically-erasable programmable read-only memory, magnetic disk, etc.
  • Driver An engine or component that acts like a translator between a device, such as a disk drive, and programs that use the device, such as the operating system shell.
  • the driver ordinarily accepts generic commands from a program and then translates them into specialized commands for the device.
  • Engine A real-world device, component, or arrangement of components implemented using hardware, or as a combination of hardware and software, such as by a microprocessor system and a set of program instructions that adapt the engine to implement the particular functionality, which (while being executed) transform the microprocessor system into a special-purpose device.
  • a engine can also be implemented as a combination of the two, with certain functions facilitated by hardware alone, and other functions facilitated by a combination of software-controlled hardware.
  • At least a portion, and in some cases, all, of a engine can be executed on the processor(s) of one or more computers that execute an operating system, system programs, and application programs, while also implementing the engine using multitasking, multithreading, distributed (e.g., cluster, peer-peer, cloud, etc.) processing where appropriate, or other such techniques.
  • a engine can itself be composed of more than one sub-engines, each of which can be regarded as a engine in its own right.
  • Interception Reading and capturing data by an intermediary process or device, the data being directed to a destination, thereby holding that data from proceeding until the intercepted data is released. While being held, the intercepted data can be re-directed, altered, dropped, delayed, or otherwise acted upon by the intermediary process or device.
  • Network interface device A type of input/output device that facilitates communication of information to an external computing device over a computer network. Examples include an Ethernet port, a Wi-Fi radio interface, a BluetoothTM interface, etc.
  • Object A piece of software code, or data structure, e.g., text or graphic, stored in computer hardware. Examples include files, programs, data packets, etc.
  • a parameter can relate to one or more individual phishing indicia.
  • a parameter can represent the presence of a particular phishing indicator in a set of data.
  • a parameter can represent a count of various phishing indicia in a set of data.
  • a parameter represents a measure of the strength of the phishing detection, and is also indicative of the specific items of phishing content.
  • Phishing A malicious attempt to acquire confidential information from a victim, such as access credentials, financial account details, personal information or the like, by masquerading as a trustworthy entity in an electronic communication.
  • Process virtual machine a virtual machine designed to run a single program, which means that it supports a single process.
  • Such virtual machines are usually closely suited to one or more programming languages and built with the purpose of providing program portability and flexibility. Examples include Java Virtual Machine, .Net Framework, Parrot Virtual Machine.
  • processor Electronic hardware part of a computer system that carries out the instructions of a computer program by performing basic arithmetical, logical, temporary storage, and input/output operations of the system.
  • a processor is implemented as a microprocessor (i.e., integrated on a single chip), though this definition includes processor circuits that are implemented on multiple interconnected integrated circuits.
  • Modern-day processors typically include multiple processing cores and can distribute workload among the multiple processing cores.
  • Proxy "Proxy server,” “Proxy service” - An intermediary engine running on a local computer system or on a distinct computer system or network device (e.g., switch, router, etc.), that functions as an intermediary between an application of the local (client) computer system that access a remote computer (e.g., a server) over a computer network.
  • a proxy can additionally assist with establishing connections between the local and remote computer systems, and can provide a variety of data processing operations for the benefit of the local computer system. Data flow is passed through the proxy, which can monitor, filter or modify, and redirect the data packets as needed according to the beneficial service to be provided by the proxy.
  • a proxy can analyze the connections to network addresses, and block or redirect network traffic if a connection is suspected of exposing the user's computer system to undue risk (such as the transfer of phishing content - as pertinent to the present invention).
  • Another example of further data processing operations performed by a proxy is storing copies of frequently-used Web pages (caching) to provide faster loading of those pages.
  • Phishing content detection engine 120 Phishing content detection engine 120 according to any one (or combination of) each of their various embodiments described below, or any of each of their structural equivalents.
  • aspects of the present invention can be implemented as part of a computer system programmed to become a special-purpose machine, or as a combination of special-purpose machines.
  • the computer system can be one physical machine, or can be distributed among multiple physical machines, such as by role or function, or by process thread in the case of a cloud computing distributed model.
  • aspects of the invention can be configured to run in virtual machines that in turn are executed on one or more physical machines. It will be understood by persons of skill in the art that features of the invention may be realized by a variety of different suitable machine implementations.
  • FIG. 1A is a block diagram illustrating system 100 for selectively building, and evolving, rules for detecting phishing indicia in the data sent from a server 102 to a client 104, according to one embodiment.
  • system 100 works as an intermediary in a server-client arrangement in which one or more servers 102 exchange data with a client 104 via the network 105 and to provide the client with access to certain resources or services.
  • servers 102 The following are examples of servers 102:
  • Network 105 facilitates the exchange of data between servers 102 and client 104.
  • the client 104 receives data from the server 102, processes the received data, and displays the result of the processing to the user.
  • Client 104 in various examples, can be implemented as:
  • system 100 is built to operate automatically, meaning that system 100 performs its principal functionality autonomously, i.e., without operator intervention. It will be understood that various other embodiments may facilitate user control or input of varying degree, with remaining functionality and decision-making handled in automated fashion under program control.
  • the selective aspect of the operation of system 100 means that rules are built and evolved in response to the satisfaction of rule evolution criteria.
  • system 100 is configured to monitor communications between servers 102 and client 104 that are facilitated via network 105 such as the Internet.
  • System 100 performs a number of functions, as described in detail below, the most basic of which is to detect the presence of phishing content in the data sent from one or more servers 102 to client 104, and to respond to the detected presence of phishing content. For example, the response can be to remove the phishing content altogether, flag the phishing content, or otherwise render the phishing content benign.
  • system 100 has an architecture that includes data capture engine 110, a phishing content detection engine 120, a rule development engine 130, and a phishing object identifier engine 140.
  • Each of these engines is constructed, programmed, configured, or otherwise adapted, to autonomously carry out a function or set of functions.
  • the term engine as used herein means a real-world device, component, or arrangement of components implemented using hardware, such as by an application specific integrated circuit (ASIC) or field-programmable gate array (FPGA), for example, or as a combination of hardware and software, such as by a microprocessor system and a set of program instructions that adapt the engine to implement the particular autonomous functionality, which (while being executed) transform the microprocessor system into a special-purpose machine.
  • ASIC application specific integrated circuit
  • FPGA field-programmable gate array
  • An engine can also be implemented as a combination of the two, with certain functions facilitated by hardware alone, and other functions facilitated by a combination of hardware and software.
  • an engine can be implemented using the processor(s) of one or more computers that execute an operating system, system programs, and application programs, while also implementing the engine (and thereby becoming a special-purpose machine).
  • An engine can be implemented using multitasking, multithreading, distributed (e.g., cluster, peer-peer, cloud, etc.) processing where appropriate, or other such techniques. Accordingly, each engine can be physically realized in any of a variety of suitable physical and logical configurations, and should generally not be limited to any particular implementation exemplified herein, unless such limitations are expressly called out.
  • an engine can itself be composed of more than one sub-engines, each of which can be regarded as an engine in its own right.
  • each of the various engines corresponds to a defined functionality; however, it should be understood that in other contemplated embodiments, each functionality may be distributed to more than one engine.
  • multiple defined functionalities may be implemented by a single engine that performs those multiple functions, possibly alongside other functions, or distributed differently among a set of engines than specifically illustrated in the examples herein.
  • the data capture engine 110 is composed of several sub-engines according to one embodiment, as depicted in FIG. 1B .
  • Interceptor engine 112 is programmed, or otherwise configured, to intercept incoming data that is sent from the server 102 to the client 104. Interception of the incoming data involves preventing the incoming data from reaching its destination and storing the incoming data for processing prior to releasing the incoming data, which may be modified as a result of the processing, to its destination.
  • Emulator engine 113 is programmed, or otherwise configured, to execute any code that may have been intercepted by interceptor engine 112 in an isolated environment such as a process virtual machine, for example, and to pass the outputs of that execution as additional data items part of the intercepted data to categorization engine 114.
  • the additional data items can be html or text content, image files, animations, etc.
  • Categorization engine 114 is programmed, or otherwise configured, to categorize the intercepted data (including data items produced as the results of the emulation) into one or more predefined categories 115 of content, to be further processed as described below.
  • Modification engine 116 is programmed, or otherwise configured, to selectively remove, change, or flag, or otherwise render benign, any detected phishing content from the data being sent to client 104, and transfer the modified data to client 104 (labeled as outgoing data in FIG. 1B ) in lieu of the incoming data.
  • data capture engine 110 can be implemented as:
  • a proxy is an intermediary engine running on a local computer system or on a distinct computer system or network device (e.g., switch, router, etc.), that functions as an intermediary between an application of the local (client) computer system that access a remote computer (e.g., one of servers 102) over a computer network 105.
  • a proxy can additionally assist with establishing connections between the local and remote computer systems, and can provide a variety of data processing operations for the benefit of the local computer system. Data flow is passed through the proxy, which can monitor, filter or modify, and redirect the data packets as needed according to the beneficial service to be provided by the proxy.
  • a proxy can analyze the connections to network addresses, and block or redirect network traffic if a connection is suspected of exposing the user's computer system to undue risk (such as the transfer of phishing content - as pertinent to the present invention).
  • Another example of further data processing operations performed by a proxy is storing copies of frequently-used Web pages (caching) to provide faster loading of those pages.
  • a driver is an engine or component that acts like a translator between a device, such as a disk drive, and programs that use the device, such as the operating system shell.
  • the driver ordinarily accepts generic commands from a program and then translates them into specialized commands for the device.
  • data capture engine 110 is implemented as a driver, the driver additionally performs the data interception functionality.
  • one of the components of an antivirus product that is responsible for countering unwanted advertising, working as a proxy server performs categorization of the html code of an intercepted page by separately highlighting, e.g., tagging, grouping, or sorting, the items of content into a data structure, etc., text contained on the page, links to images, and flash applications present on the page, hyperlinks to other pages, etc.
  • modification engine 116 for modification of intercepted data according to various related embodiments:
  • phishing content detection engine 120 is programmed, or otherwise configured, to search for any known (i.e., predefined) indicia of phishing in categorized data, calculate values of certain parameters relating to phishing indicia found as a result of the search, and send the parameters and their calculated values, as well as the categorized data to the rule development engine 130 and phishing object identifier engine 140.
  • One, or a combination, of the following detection rules 125 can be used in searching for indicia of phishing according to one or more embodiments:
  • phishing indicia as recognized by detection rules 125 according to various embodiments:
  • Each of the parameters relates to one, or a combination, of phishing indicia, and can take additional circumstantial information into account, such as categorization.
  • the following are examples of parameters relating to phishing indicia for which a quantitative score can be computed according to one or more embodiments:
  • An example of phishing parameter quantitative score calculation is an assignment, by one of the components of an antivirus product responsible for countering phishing, of a weighting factor for an unknown link contained in the site under investigation (for example, from 0.0, corresponding to a trusted link, to 1.0, corresponding to a non-trusted link).
  • the presence of the link in the list of trusted links is checked (if the link is found, a weighting factor of 0.0 is assigned, and the calculation is stopped); the presence of the link in the list of non-trusted links is checked (if the link is found, a weighting factor of 1.0 is assigned, and the calculation is stopped); a match of one of the tokens from the non-trusted link token dictionary is checked (if the token is found, the weighting factor to be found is increased by a predetermined amount, for example by 0.25); it is checked whether the site owner is in the list of non-trusted owners (if the owner is found, the weighting factor to be found is increased by another predetermined amount, for example by 0.15), etc.
  • FIG. 1C is a diagram illustrating the relationships between the categories of data among the intercepted data content, phishing indicia, and computed parameters.
  • the intercepted data can contain multiple categories of content. For example, text, images, browser-executable objects, etc. Various categories can be represented in the same set of received data, such as a Web page.
  • FIG. 1C two categories are depicted, Category I, and Category II. Each category is associated with a corresponding set of phishing indicia. Accordingly, for Category II, phishing indicators II-1, II-2, and II-3 are shown. Similarly, there are multiple different phishing indicia for Category I. The phishing indicia between categories can be similar or quite different, with their comparative similarities corresponding to the comparative nature of the different categories.
  • Each category also corresponds to a set of parameters that are specific to the category.
  • Parameters II-A, II-B and II-C correspond to category II; whereas a separate set of parameters will correspond to Category I.
  • the parameters may have a one-to-one, many-to-one, or one-to-many correspondence with the phishing indicators for the same category, and these relationships can vary considerably between the specific instances of phishing indicators, parameters, and between categories.
  • the computed parameter values represent a scoring of the strength of the phishing detection, and are also indicative of the specific items of phishing content.
  • Rule development engine 130 is programmed, or otherwise configured, to make a decision as to evolving rules for searching for phishing content and rules for ascertaining the presence of phishing content in intercepted data.
  • the evolution of rules means automatic generation of new rules based on the application of previous rules.
  • rules are evolved under program control without requiring new incoming data.
  • the application of existing rules to the same items of data can produce successive generations of detection rules that are capable of gaining new and deeper insight into phishing-related content that may be present in the same data.
  • the phishing object identifier engine 140 is programmed, or otherwise configured, to identify (e.g., flag, tag, place in data structure, etc.) phishing-related objects that can lead to exposing the user to phishing content, and items of phishing content themselves.
  • Examples of identifiable phishing-related objects include:
  • system 100 describes operation of system 100 and its interaction with servers 102 and client 104.
  • the context in which system 100 operates includes a user, interacting with a browser application, having found, via a search service, a site selling products that the user is interested in purchasing. After the transfer to the provided address, the user's browser is directed to the ordering page, where, among other information, the user is asked to enter his/her credit card information.
  • this site is a phishing site created by fraudsters in order to steal credit card information.
  • the information in the form of html code, is sent from the site to the browser 104.
  • the data from the site is intercepted by the data capture engine 110.
  • the data capture engine 110 intercepts the data represented in the form of html code intended for the browser 104, and categorizes the content of the intercepted html code. In one such embodiment, data capture engine 110 first performs an emulation in an isolated computing environment (such as a virtual machine) of the html code, including the following:
  • the data capture engine 110 After the completion of the emulation, the data capture engine 110 directly performs categorization of the emulated data itself and sends the received categorized data (such as text, hyperlinks, images, etc.) to the phishing content detection engine 120.
  • the data capture engine 110 After the completion of the emulation, the data capture engine 110 directly performs categorization of the emulated data itself and sends the received categorized data (such as text, hyperlinks, images, etc.) to the phishing content detection engine 120.
  • modification engine 116 of data capture engine 110 performs modification of the intercepted html code (for example, replacing the detected non-trusted hyperlinks with text warnings about possible phishing), and then sends the modified html code to the browser 104.
  • the phishing content detection engine 120 performs a search for categorized phishing indicia data (for example, presence of hyperlinks of non-trusted sites, phrases in the text that are typically used on phishing sites, discrepancies between the hyperlink names and the addresses to which they lead, presence of logos of well-known companies among images, etc.). Further, phishing content detection engine 120 calculates a quantitative score based on the parameters of the phishing indicia returned in the search results (for example, in the case of a string of text, the score can be the weighting factor, indicating the probability of belonging to phishing; in the case of hyperlinks, the score can be a flag indicating non-trusted links, etc.). The calculated parameter scores and categorized data is passed to the rule development engine 130 and to phishing object identifier engine 140.
  • phishing indicia data for example, presence of hyperlinks of non-trusted sites, phrases in the text that are typically used on phishing sites, discrepancies between the hyperlink names and the addresses
  • the rule development engine 130 on the basis of the received phishing indicia parameter scores, selectively evolves rules for determining the presence of phishing.
  • rules can be based on a combination of parameters, with parameter values defined for detection thresholds (for example, a rule by which the presence of non-trusted links and of a weighting factor of the text containing non-trusted links exceeds 0.75 (where 0.0 means a trusted link, and 1.0 means a non-trusted link), is considered as a positive phishing detection result).
  • detection thresholds for example, a rule by which the presence of non-trusted links and of a weighting factor of the text containing non-trusted links exceeds 0.75 (where 0.0 means a trusted link, and 1.0 means a non-trusted link).
  • Newly-generated phishing detection rules are recursively applied to the intercepted data to determine additional parameters and their quantitative values, and to determine the need for any further rule evolution.
  • Phishing object identifier engine 140 processes the intercepted data in the context of the detected phishing indicia, the and the computed parameter scores to apply phishing object detection criteria and, ultimately, to determine which items of content of the intercepted data constitute objects that relate to phishing. These objects may be phishing content itself, or hyperlinks to phishing content that will be found elsewhere.
  • the criteria for phishing object detection can be the same or similar to criteria for rule evolution according to one type of embodiment. In another embodiment, the criteria for phishing object detection differs (for instance, the phishing object threshold can be set to be higher - i.e., more selective - than the threshold for evolving a detection rule in order to reduce the likelihood of responding to a false positive). Once collected, the phishing-related objects are passed to data capture engine 110 to be modified.
  • Data capture engine 110 upon receiving a listing of the identified phishing-related objects, finds, and modifies, those objects in the intercepted data to remove, alter, or otherwise render the detected phishing content benign.
  • the browser 104 having received a modified html code, processes it and displays it in its window.
  • a user even when transferred to a phishing site, is limited in his/her capability to use it, and is thereby protected from a loss of his/her confidential data, such as bank card information.
  • Another exemplary application of system 100 relates to the analysis of data transferred from a server to a client where the server is a mail client and the client is a mail client application that reads electronic mail.
  • One of the received emails was sent by fraudsters in order to lure the user to a specially created site.
  • the data from the mail server 102 are intercepted by the data capture engine 110.
  • the data capture engine 110 intercepts the data intended for the mail client 104, presented in the form of a pdf document, categorizes them and sends the received categorized data (such as text, hyperlinks, images, etc.) to the phishing content detection engine 120.
  • the phishing content detection engine 120 performs a search of the categorized data for phishing indicia, and calculates their parameter scores based on the found phishing indicia.
  • the parameter scores and categorized data are provided to the rule development engine 130 and to the phishing object identifier engine 140.
  • the rule development engine 130 on the basis of the received parameters of the phishing indicia, selectively evolves rules for determining whether phishing is present (for example, a rule by which the presence of images from a non-trusted list together with text with a weighting factor over 0.9 (where a weighting factor of 0.0 means a trusted image, while a weighting factor of 1.0 means a non-trusted image) is considered as meeting the criteria for evolving a detection rule).
  • rules for determining whether phishing is present for example, a rule by which the presence of images from a non-trusted list together with text with a weighting factor over 0.9 (where a weighting factor of 0.0 means a trusted image, while a weighting factor of 1.0 means a non-trusted image) is considered as meeting the criteria for evolving a detection rule).
  • phishing object identifier engine 140 analyzes the results of the application of the phishing detection rules, e.g., finds the cause(s) of the high parameter scores exceeding a phishing detection threshold, and identifies the phishing-related objects that constituted those causes, and identifies those objects in a suitable manner (e.g., tagging, compiling a list, etc.) Thereafter, phishing object identifier engine 140 passes the phishing-related objects identifications to data capture engine 110 for modification.
  • a suitable manner e.g., tagging, compiling a list, etc.
  • the data capture engine 110 modifies the intercepted pdf document (for example, by adding text warnings about possible phishing to the pdf document); then, it sends the modified pdf document to the mail client 104.
  • the phishing-related object identifications for example, certain text strings, images, code, etc.
  • the mail client 104 having received the modified pdf document, processes it and displays it in its window.
  • the user when viewing the received letter, sees a warning about possible phishing in its content.
  • FIG. 2 is a flow diagram illustrating an exemplary overall process flow according to one embodiment.
  • the exemplary method includes data interception 210, data categorization 220, search for phishing indicia 230, calculation of parameter scores 240, selective evolution of rules 250, the use of rules 260 and data modification 270.
  • the data transferred by the servers 102 to the client 104 are intercepted.
  • the intercepted data can include any of the exemplary types of data described above.
  • the intercepted data are categorized by criteria, such as according to the category examples described above.
  • the categorized data are searched for indicia of phishing.
  • parameters and values thereof, of the detected phishing indicia are calculated. Thereafter, at 245, a decision is made about the suitability of evolving rules for detecting phishing content on the basis of the calculated parameter values.
  • stage 250 phishing detection rules are generated on the basis of the calculated phishing indicia parameters. If the rule creation criteria is not satisfied, new rules are not created, and the set of existing rules is used to perform the phishing content detection at stage 260.
  • the generated rules are applied to the categorized data, a search is performed for data used in phishing, and the parameters of detected phishing content are calculated.
  • the intercepted data are modified on the basis of the calculated parameters of the data used in phishing, and the modified data are sent to the client 104.
  • evolution of phishing detection rules includes re-categorization of the intercepted data in order to apply phishing detection rules for other categories of data content to the data.
  • This approach improves phishing detection sensitivity and leads to the generation of new and better detection rules. For example, if the intercepted data contained images, those images were initially categorized in the multimedia data category, but later, using image-to-text recognition algorithms, the data are re-categorized as text, with all of the text-category-based detection rules now being applicable.
  • Rules are evolved so as to setup logical links between the found phishing indicia on the basis of the calculated parameters (for example, an image with the logo of a well-known company is a factor which increases the weighting factor of an unknown hyperlink, up to a level where the hyperlink starts to be considered as non-trusted).
  • phishing indicia that is found, as well as the parameters calculated on their basis, and the rules subsequently built for the purpose of further use for new categorized data, can be saved either locally, on a user computer, or remotely, in a cloud (in this case, they can be downloaded by other users and used on other computers as well).
  • One of the methods for building rules is the use of a neural network, which can learn to build new more accurate rules on the basis of parameters received during the processing of previously received data.
  • neurons are represented by algorithms (or, in other words, processes) of calculation of phishing indicia and of calculation of phishing indicia parameters, which mutually exchange categorized data and calculated parameters.
  • Various learning methods can be used, for example, supervised learning, where some neurons (i.e. phishing indicia calculation methods) and some links (i.e. what phishing indicia and indicia parameters the neurons accept) are determined by an analyst on the basis of previously-processed data.
  • an unsupervised learning method can be used, where the neurons reorganize depending on previously processed data without involving an analyst in the analysis process.
  • the above-described neural network can return either the fact of use of processed data for phishing, or the probability of such a fact (from 0 to 1, where 0 means trusted data, while 1 means non-trusted data).
  • evolution of phishing detection rules includes first determining whether the prevailing conditions merit the generation of new rules based on the application of previous rules.
  • rule score aggregator module for determining whether to create new phishing detection rules:
  • FIG. 3A illustrates the first case, in which the value of parameter 304 exceeds higher threshold 310.
  • threshold 310 can also correspond to a positive phishing detection, i.e., indicative of there being content believed to be phishing content.
  • new detection rule generation is initiated. In generating new phishing detection rules, not only is parameter 304 taken into account, but the other parameters are taken into account as well.
  • the relative weights at least roughly correspond to the relative parameter valuations.
  • FIG. 3B illustrates another case.
  • no parameter value exceeds threshold 310.
  • threshold 312 does not correspond to a positive phishing detection for any given parameter; however, score aggregator 302 is configured with criteria that recognizes an indication for new rule generation based on an aggregated combination of the parameters that exceed threshold 312. Therefore, new rule generation is initiated.
  • the aggregated value of phishing indicia parameters can be calculated by score aggregator 302 according to various other combining techniques. For instance:
  • FIG. 4 is an information flow diagram illustrating a process for evolving phishing detection rules according to one embodiment.
  • intercepted data 402 as obtained by the interceptor engine 112 of data capture engine 110, for instance, is examined at 404 according to rule set 406, which includes existing phishing detection rules.
  • Rule set 406 which includes existing phishing detection rules.
  • the result of the processing produces parameter scores 408.
  • rule generation criteria 410 which renders a decision as to whether or not to evolve the phishing detection rules. This decision 412 is based on one or more of the decision criteria discussed above, for example. If the rule generation criteria 410 is met by parameter scores 408, then the process proceeds to evolve one or more new phishing detection rules 414. The new rule(s) 414 are then added to rule set 406, and are re-applied to the intercepted data 402.
  • the newly-evolved rules that are added to rule set 406 are used to examine intercepted data 402 for indicia of phishing and for generating new parameter scores 408.
  • the process of this example uses a recursive technique to create multiple successive generations of phishing detection rules without requiring human input or fresh incoming data from which to create the new rules.
  • the phishing detection rule evolution looks at the varying parameters and their values to assess the sensitivity of certain detection rule features, and to select the more sensitive rule features from which to spawn variations of the detection rules.
  • these rule variations can develop new rules across categories based on the success of a given rule in a prior rule generation's category.
  • FIG. 5 is a rule evolution diagram illustrating an example of how an initial rule is evolved to form successive generations of rules applicable to different categories of content according to one embodiment.
  • three categories of content are represented by rows labeled Category I, Category II, and Category III. Each of the columns represents a generation of rule evolution. These are labeled Generation 0, Generation 1, and Generation 2.
  • an initial rule of Generation 0, Rule I-a which is applicable to Category I, is applied to a set of intercepted data.
  • the processing of the detection rule's application to the set of intercepted data resulted in a decision to evolve the rule. For example, one or more parameter scores exceeded an applicable at least one threshold (e.g., as exemplified above with reference to FIGs. 3A and 3B ).
  • Rule creation process created rules in subsequent Generation 1. These are Rule I-b and Rule I-c (applicable to Category I), as well as Rule II-a (applicable to Category II). Each of the newly-generated rules are applied to the intercepted data, which in one embodiment can include the very same intercepted data to which the previous generation's rule was applied. Of these three Generation 1 rules, Rule II-a has met the decision criteria for evolving a subsequent generation of rules. Accordingly, Rule 1-d, and Rule III-a of Generation 2 are created. In various other examples, it is possible for multiple rules to meet the decision criteria, in which each of these multiple rules will have further generations of rules evolved.
  • each of the new Generation 2 rules is in a different category than Rule II-a from which they were evolved.
  • This can represent a real-world example in which a first detection rule being developed to detect a particular ASCII text string (and perhaps also certain variations thereof) (e.g., of a first category of content) previously identified as constituting phishing content, is evolved to detect non-ASCII-encoded text appearing as part of an image file (e.g., of a second category of content) that, when character-recognized and converted into ASCII text, would constitute the particular text string (or variations) that constitutes phishing content.
  • a similar rule evolution can be applied to a piece of browser-executable code (e.g., a third category of content) that renders text or an image of the text in a browser application, that can constitute the same phishing content.
  • the Generation 2 rules are then applied to the intercepted data to further examine rule evolution opportunities.
  • Rule evolution can continue for further generations until the rule evolution criteria fails to be met by all of the applied rules of the latest generation, or there may be a prescribed limit to the number of generations.
  • the rule generation thresholds can be incrementally increased for successive generations such that increasingly particularly sensitive detections are preferentially selected for evolution in later generations.
  • new categories can be generated. For example, a first category can apply to a flash object, having been identified as meeting rule evolution criteria. In response, the rule evolution process examines the various elements within the flash object, e.g., AcrionScript elements, textual elements, images, etc., and for each of these, a new category is automatically defined and explored in subsequent iterations.
  • elements within the flash object e.g., AcrionScript elements, textual elements, images, etc.
  • FIG. 6 is a diagram illustrating in greater detail a computer system 600, that is made into a special-purpose machine with improved functionality upon implementation of embodiments of the invention as described herein.
  • the computer system 600 may include a computing device such as a personal computer 602.
  • the personal computer 602 includes one or more processing units 604, a system memory 606, a video interface 608, an output peripheral interface 610, a network interface 612, a user input interface 614, removable 616 and non-removable 618 memory interfaces and a system bus or high-speed communications channel 620 coupling the various components.
  • the processing units 604 may have multiple logical cores that are able to process information stored on computer readable media such as the system memory 606 or memory attached to the removable 616 and non-removable 618 memory interfaces 618.
  • the computer 602 system memory 606 may include non-volatile memory such as Read Only Memory (ROM) 622 or volatile memory such as Random Access Memory (RAM) 624.
  • ROM Read Only Memory
  • RAM Random Access Memory
  • the ROM 622 may include a basic input/output system (BIOS) 626 to help communicate with the other portion of the computer 602.
  • the RAM 624 may store portions of various software applications such as the operating system 628, application programs 630 and other program engines 632. Further, the RAM 624 may store other information such as program or application data 634.
  • the RAM 624 stores information that requires low-latencies and efficient access, such as programs and data being manipulated or operated on.
  • RAM 624 comprises Double Data Rate (DDR) memory, Error Correcting memory (ECC) or other memory technologies with varying latencies and configurations such as RAMBUS or DDR2 and DDR3.
  • DDR Double Data Rate
  • ECC Error Correcting memory
  • the system memory 606 may store the input data store, access credential data store, operating memory data store, instruction set data store, analysis result data store and the operating memory data store.
  • the processing units 604 may be configured to execute instructions that limit access to the aforementioned data stores by requiring access credential before access to the information is granted.
  • the removable 616 and non-removable 618 memory interfaces may couple the computer 602 to disk drives 636 such as SSD or rotational disk drives.
  • disk drives 636 may provide further storage for various software applications such as the operating system 638, application programs 640 and other program engines 642. Further, the disk drives 636 may store other information such as program or application data 644. In various embodiments, the disk drives 636 store information that doesn't require the same low-latencies as in other storage mediums. Further, the operating system 638, application program 640 data, program engines 642 and program or application data 644 may be the same information as that stored in the RAM 624 in various embodiments mentioned above or it may be different data potentially derivative of the RAM 624 stored data.
  • the removable non-volatile memory interface 616 may couple the computer 602 to magnetic portable disk drives 646 that utilize magnetic media such as the floppy disk 648, Iomega® Zip or jazz, or optical disk drives 650 that utilize optical media 652 for storage of computer readable media such as Blu-Ray®, DVD-R/RW, CD-R/RW and other similar formats. Still other embodiments utilize SSD or rotational disks housed in portable enclosures 654 to increase the capacity of removable memory.
  • the computer 602 may utilize the network interface 612 to communicate with one or more remote computers 656 over a local area network (LAN) 658 or a wide area network (WAN) 660.
  • the network interface 612 may utilize a Network Interface Card (NIC) or other interface such as a modem 662 to enable communication.
  • the modem 662 may enable communication over telephone lines, coaxial, fiber optic, powerline, or wirelessly.
  • the remote computer 656 may contain a similar hardware and software configuration or may have a memory 664 that contains remote application programs 666 that may provide additional computer readable instructions to the computer 602.
  • the remote computer memory 664 can be utilized to store information such as identified file information that may be later downloaded to local system memory 606.
  • the remote computer 656 may be an application server, an administrative server, client computers, or a network appliance.
  • a user may enter information to the computer 602 using input devices connected to the user input interface 614 such as a mouse 668 and keyboard 670. Additionally, the input device may be a trackpad, fingerprint scanner, joystick, barcode scanner, media scanner or the like.
  • the video interface 608 may provide visual information to a display such as a monitor 672.
  • the video interface 608 may be an embedded interface or it may be a discrete interface.
  • the computer may utilize a plurality of video interfaces 608, network interfaces 612 and removable 616 and non-removable 618 interfaces in order to increase the flexibility in operation of the computer 602. Further, various embodiments utilize several monitors 672 and several video interfaces 608 to vary the performance and capabilities of the computer 602.
  • Other computer interfaces may be included in computer 602 such as the output peripheral interface 610. This interface may be coupled to a printer 674 or speakers 676 or other peripherals to provide additional functionality to the computer 602.
  • the computer 602 may include, without limitation, additional interfaces coupled to the system bus 620 such as universal serial bus (USB), printer port, game port, PCI bus, PCI Express or integrations of the various components described above into chipset components such as the northbridge or southbridge.
  • the processing unit 604 may include an embedded memory controller (not shown) to enable more efficient transfer of data from the system memory 606 than the system bus 620 may provide.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Mining & Analysis (AREA)
  • General Business, Economics & Management (AREA)
  • Business, Economics & Management (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)
EP15163749.3A 2015-03-05 2015-04-15 Système et procédé automatisés d'évolution de règles de détection d'hameçonnage Active EP3065367B1 (fr)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/639,871 US9253208B1 (en) 2015-03-05 2015-03-05 System and method for automated phishing detection rule evolution

Publications (2)

Publication Number Publication Date
EP3065367A1 true EP3065367A1 (fr) 2016-09-07
EP3065367B1 EP3065367B1 (fr) 2018-02-07

Family

ID=52875049

Family Applications (1)

Application Number Title Priority Date Filing Date
EP15163749.3A Active EP3065367B1 (fr) 2015-03-05 2015-04-15 Système et procédé automatisés d'évolution de règles de détection d'hameçonnage

Country Status (3)

Country Link
US (2) US9253208B1 (fr)
EP (1) EP3065367B1 (fr)
CN (1) CN105516113B (fr)

Families Citing this family (79)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9253208B1 (en) 2015-03-05 2016-02-02 AO Kaspersky Lab System and method for automated phishing detection rule evolution
US10298602B2 (en) * 2015-04-10 2019-05-21 Cofense Inc. Suspicious message processing and incident response
US20160337394A1 (en) * 2015-05-11 2016-11-17 The Boeing Company Newborn domain screening of electronic mail messages
US9967273B2 (en) 2015-06-15 2018-05-08 Microsoft Technology Licensing, Llc. Abusive traffic detection
US10601865B1 (en) * 2015-09-30 2020-03-24 Fireeye, Inc. Detection of credential spearphishing attacks using email analysis
US10630708B2 (en) * 2016-01-08 2020-04-21 Cyber Detection Services Inc Embedded device and method of processing network communication data
US9894092B2 (en) 2016-02-26 2018-02-13 KnowBe4, Inc. Systems and methods for performing or creating simulated phishing attacks and phishing attack campaigns
US10009370B1 (en) * 2016-03-01 2018-06-26 EMC IP Holding Company LLC Detection and remediation of potentially malicious files
US9800613B1 (en) 2016-06-28 2017-10-24 KnowBe4, Inc. Systems and methods for performing a simulated phishing attack
RU2634211C1 (ru) 2016-07-06 2017-10-24 Общество с ограниченной ответственностью "Траст" Способ и система анализа протоколов взаимодействия вредоносных программ с центрами управления и выявления компьютерных атак
RU2649793C2 (ru) 2016-08-03 2018-04-04 ООО "Группа АйБи" Способ и система выявления удаленного подключения при работе на страницах веб-ресурса
RU2634209C1 (ru) 2016-09-19 2017-10-24 Общество с ограниченной ответственностью "Группа АйБи ТДС" Система и способ автогенерации решающих правил для систем обнаружения вторжений с обратной связью
US10095753B2 (en) * 2016-09-28 2018-10-09 Microsoft Technology Licensing, Llc Aggregation and generation of confidential data insights with confidence values
US10291646B2 (en) 2016-10-03 2019-05-14 Telepathy Labs, Inc. System and method for audio fingerprinting for attack detection
US10313352B2 (en) * 2016-10-26 2019-06-04 International Business Machines Corporation Phishing detection with machine learning
US10855714B2 (en) 2016-10-31 2020-12-01 KnowBe4, Inc. Systems and methods for an artificial intelligence driven agent
RU2671991C2 (ru) 2016-12-29 2018-11-08 Общество с ограниченной ответственностью "Траст" Система и способ сбора информации для обнаружения фишинга
RU2637477C1 (ru) * 2016-12-29 2017-12-04 Общество с ограниченной ответственностью "Траст" Система и способ обнаружения фишинговых веб-страниц
US9749360B1 (en) 2017-01-05 2017-08-29 KnowBe4, Inc. Systems and methods for performing simulated phishing attacks using social engineering indicators
US20180307844A1 (en) 2017-04-21 2018-10-25 KnowBe4, Inc. Using smart groups for simulated phishing training and phishing campaigns
WO2018208669A1 (fr) 2017-05-08 2018-11-15 KnowBe4, Inc. Systèmes et procédés de fourniture d'interfaces utilisateur en fonction d'actions associées à des courriers électroniques non sécurisés
US11599838B2 (en) 2017-06-20 2023-03-07 KnowBe4, Inc. Systems and methods for creating and commissioning a security awareness program
US11343276B2 (en) 2017-07-13 2022-05-24 KnowBe4, Inc. Systems and methods for discovering and alerting users of potentially hazardous messages
US11295010B2 (en) 2017-07-31 2022-04-05 KnowBe4, Inc. Systems and methods for using attribute data for system protection and security awareness training
US10657248B2 (en) 2017-07-31 2020-05-19 KnowBe4, Inc. Systems and methods for using attribute data for system protection and security awareness training
RU2689816C2 (ru) 2017-11-21 2019-05-29 ООО "Группа АйБи" Способ для классифицирования последовательности действий пользователя (варианты)
US10812527B2 (en) 2017-12-01 2020-10-20 KnowBe4, Inc. Systems and methods for aida based second chance
US10673895B2 (en) 2017-12-01 2020-06-02 KnowBe4, Inc. Systems and methods for AIDA based grouping
US11777986B2 (en) 2017-12-01 2023-10-03 KnowBe4, Inc. Systems and methods for AIDA based exploit selection
US10581910B2 (en) 2017-12-01 2020-03-03 KnowBe4, Inc. Systems and methods for AIDA based A/B testing
US10679164B2 (en) 2017-12-01 2020-06-09 KnowBe4, Inc. Systems and methods for using artificial intelligence driven agent to automate assessment of organizational vulnerabilities
US10348762B2 (en) 2017-12-01 2019-07-09 KnowBe4, Inc. Systems and methods for serving module
US10839083B2 (en) 2017-12-01 2020-11-17 KnowBe4, Inc. Systems and methods for AIDA campaign controller intelligent records
US10257225B1 (en) 2017-12-01 2019-04-09 KnowBe4, Inc. Systems and methods for artificial intelligence driven agent campaign controller
US10715549B2 (en) 2017-12-01 2020-07-14 KnowBe4, Inc. Systems and methods for AIDA based role models
US10009375B1 (en) * 2017-12-01 2018-06-26 KnowBe4, Inc. Systems and methods for artificial model building techniques
US10348761B2 (en) 2017-12-01 2019-07-09 KnowBe4, Inc. Systems and methods for situational localization of AIDA
US10313387B1 (en) 2017-12-01 2019-06-04 KnowBe4, Inc. Time based triggering of dynamic templates
RU2680736C1 (ru) 2018-01-17 2019-02-26 Общество с ограниченной ответственностью "Группа АйБи ТДС" Сервер и способ для определения вредоносных файлов в сетевом трафике
RU2676247C1 (ru) 2018-01-17 2018-12-26 Общество С Ограниченной Ответственностью "Группа Айби" Способ и компьютерное устройство для кластеризации веб-ресурсов
RU2677368C1 (ru) 2018-01-17 2019-01-16 Общество С Ограниченной Ответственностью "Группа Айби" Способ и система для автоматического определения нечетких дубликатов видеоконтента
RU2668710C1 (ru) 2018-01-17 2018-10-02 Общество с ограниченной ответственностью "Группа АйБи ТДС" Вычислительное устройство и способ для обнаружения вредоносных доменных имен в сетевом трафике
RU2677361C1 (ru) 2018-01-17 2019-01-16 Общество с ограниченной ответственностью "Траст" Способ и система децентрализованной идентификации вредоносных программ
US10834111B2 (en) 2018-01-29 2020-11-10 International Business Machines Corporation Method and system for email phishing attempts identification and notification through organizational cognitive solutions
RU2681699C1 (ru) 2018-02-13 2019-03-12 Общество с ограниченной ответственностью "Траст" Способ и сервер для поиска связанных сетевых ресурсов
US10237302B1 (en) 2018-03-20 2019-03-19 KnowBe4, Inc. System and methods for reverse vishing and point of failure remedial training
JP6876649B2 (ja) * 2018-03-27 2021-05-26 日本電信電話株式会社 違法コンテンツ探索装置、違法コンテンツ探索方法およびプログラム
WO2019201900A1 (fr) * 2018-04-19 2019-10-24 Thales Dis France Sa Procédé permettant de sécuriser un système informatique
EP3557839A1 (fr) * 2018-04-19 2019-10-23 Gemalto Sa Procédé pour sécuriser un système informatique
US10673876B2 (en) 2018-05-16 2020-06-02 KnowBe4, Inc. Systems and methods for determining individual and group risk scores
CN108985056A (zh) * 2018-06-27 2018-12-11 努比亚技术有限公司 一种数据拦截方法、电子设备及计算机可读存储介质
US11212312B2 (en) * 2018-08-09 2021-12-28 Microsoft Technology Licensing, Llc Systems and methods for polluting phishing campaign responses
US10984274B2 (en) 2018-08-24 2021-04-20 Seagate Technology Llc Detecting hidden encoding using optical character recognition
US10540493B1 (en) 2018-09-19 2020-01-21 KnowBe4, Inc. System and methods for minimizing organization risk from users associated with a password breach
US10673894B2 (en) 2018-09-26 2020-06-02 KnowBe4, Inc. System and methods for spoofed domain identification and user training
CN109246127B (zh) * 2018-10-12 2021-05-28 上海哔哩哔哩科技有限公司 一种音频资源的安全分享控制方法和系统
US10979448B2 (en) 2018-11-02 2021-04-13 KnowBe4, Inc. Systems and methods of cybersecurity attack simulation for incident response training and awareness
US10812507B2 (en) 2018-12-15 2020-10-20 KnowBe4, Inc. System and methods for efficient combining of malware detection rules
RU2708508C1 (ru) 2018-12-17 2019-12-09 Общество с ограниченной ответственностью "Траст" Способ и вычислительное устройство для выявления подозрительных пользователей в системах обмена сообщениями
RU2701040C1 (ru) 2018-12-28 2019-09-24 Общество с ограниченной ответственностью "Траст" Способ и вычислительное устройство для информирования о вредоносных веб-ресурсах
WO2020176005A1 (fr) 2019-02-27 2020-09-03 Общество С Ограниченной Ответственностью "Группа Айби" Procédé et système d'identification d'un utilisateur en fonction de sa manière de manipuler un clavier d'ordinateur
CN111669353A (zh) * 2019-03-08 2020-09-15 顺丰科技有限公司 钓鱼网站检测方法及系统
US11108821B2 (en) 2019-05-01 2021-08-31 KnowBe4, Inc. Systems and methods for use of address fields in a simulated phishing attack
US11281854B2 (en) * 2019-08-21 2022-03-22 Primer Technologies, Inc. Limiting a dictionary used by a natural language model to summarize a document
US11489868B2 (en) 2019-09-05 2022-11-01 Proofpoint, Inc. Dynamically initiating and managing automated spear phishing in enterprise computing environments
US11233820B2 (en) 2019-09-10 2022-01-25 Paypal, Inc. Systems and methods for detecting phishing websites
RU2728497C1 (ru) 2019-12-05 2020-07-29 Общество с ограниченной ответственностью "Группа АйБи ТДС" Способ и система определения принадлежности программного обеспечения по его машинному коду
RU2728498C1 (ru) 2019-12-05 2020-07-29 Общество с ограниченной ответственностью "Группа АйБи ТДС" Способ и система определения принадлежности программного обеспечения по его исходному коду
RU2743974C1 (ru) 2019-12-19 2021-03-01 Общество с ограниченной ответственностью "Группа АйБи ТДС" Система и способ сканирования защищенности элементов сетевой архитектуры
SG10202001963TA (en) 2020-03-04 2021-10-28 Group Ib Global Private Ltd System and method for brand protection based on the search results
CN111756724A (zh) * 2020-06-22 2020-10-09 杭州安恒信息技术股份有限公司 钓鱼网站的检测方法、装置、设备、计算机可读存储介质
US11475090B2 (en) 2020-07-15 2022-10-18 Group-Ib Global Private Limited Method and system for identifying clusters of affiliated web resources
RU2743619C1 (ru) 2020-08-06 2021-02-20 Общество с ограниченной ответственностью "Группа АйБи ТДС" Способ и система генерации списка индикаторов компрометации
US11947572B2 (en) 2021-03-29 2024-04-02 Group IB TDS, Ltd Method and system for clustering executable files
NL2030861B1 (en) 2021-06-01 2023-03-14 Trust Ltd System and method for external monitoring a cyberattack surface
RU2769075C1 (ru) 2021-06-10 2022-03-28 Общество с ограниченной ответственностью "Группа АйБи ТДС" Система и способ активного обнаружения вредоносных сетевых ресурсов
CN113630395B (zh) * 2021-07-28 2023-06-06 上海纽盾网安科技有限公司 通信内容的防钓鱼方法、客户端及系统
CN113689138B (zh) * 2021-09-06 2024-04-26 北京邮电大学 一种基于眼动追踪和社工要素的网络钓鱼易感性预测方法
CN115022086B (zh) * 2022-07-19 2023-11-21 北京安天网络安全技术有限公司 网络安全防御方法、装置、电子设备及存储介质

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1887754A1 (fr) * 2006-08-10 2008-02-13 Deutsche Telekom AG Système fournissant la détection précoce, alerte et réponse aux menaces électroniques
US20080162449A1 (en) * 2006-12-28 2008-07-03 Chen Chao-Yu Dynamic page similarity measurement

Family Cites Families (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7685254B2 (en) * 2003-06-10 2010-03-23 Pandya Ashish A Runtime adaptable search processor
EP1704492A1 (fr) * 2003-11-27 2006-09-27 Quinetiq Limited Detection automatique d'anomalies
US8627458B2 (en) * 2004-01-13 2014-01-07 Mcafee, Inc. Detecting malicious computer program activity using external program calls with dynamic rule sets
US8438499B2 (en) 2005-05-03 2013-05-07 Mcafee, Inc. Indicating website reputations during user interactions
US7681234B2 (en) 2005-06-30 2010-03-16 Microsoft Corporation Preventing phishing attacks
EP2442525A1 (fr) 2005-12-13 2012-04-18 Crossbeam Systems, Inc. Systèmes et procédés de traitement de flux de données
US7849502B1 (en) * 2006-04-29 2010-12-07 Ironport Systems, Inc. Apparatus for monitoring network traffic
US7890612B2 (en) * 2006-05-08 2011-02-15 Electro Guard Corp. Method and apparatus for regulating data flow between a communications device and a network
US7668921B2 (en) 2006-05-30 2010-02-23 Xerox Corporation Method and system for phishing detection
US7899978B2 (en) * 2006-12-08 2011-03-01 Pandya Ashish A Dynamic programmable intelligent search memory
US7854001B1 (en) 2007-06-29 2010-12-14 Trend Micro Incorporated Aggregation-based phishing site detection
US8578166B2 (en) 2007-08-06 2013-11-05 Morgamon SA System and method for authentication, data transfer, and protection against phishing
US20090089859A1 (en) 2007-09-28 2009-04-02 Cook Debra L Method and apparatus for detecting phishing attempts solicited by electronic mail
US8707426B1 (en) 2008-05-28 2014-04-22 Symantec Corporation Method and apparatus for resolving a cousin domain name to detect web-based fraud
US9734125B2 (en) * 2009-02-11 2017-08-15 Sophos Limited Systems and methods for enforcing policies in the discovery of anonymizing proxy communications
WO2010105184A2 (fr) * 2009-03-13 2010-09-16 Breach Security , Inc. Procédé et appareil pour une détection de vulnérabilité au hameçonnage et aux sangsues informatiques
CN101504673B (zh) 2009-03-24 2011-09-07 阿里巴巴集团控股有限公司 一种识别疑似仿冒网站的方法与系统
US8769695B2 (en) 2009-04-30 2014-07-01 Bank Of America Corporation Phish probability scoring model
US20100332593A1 (en) 2009-06-29 2010-12-30 Igor Barash Systems and methods for operating an anti-malware network on a cloud computing platform
CN101826105B (zh) * 2010-04-02 2013-06-05 南京邮电大学 基于匈牙利匹配算法的钓鱼网页检测方法
US8671447B2 (en) 2010-06-09 2014-03-11 Sonicwall, Inc. Net-based email filtering
RU2446459C1 (ru) 2010-07-23 2012-03-27 Закрытое акционерное общество "Лаборатория Касперского" Система и способ проверки веб-ресурсов на наличие вредоносных компонент
US8521667B2 (en) 2010-12-15 2013-08-27 Microsoft Corporation Detection and categorization of malicious URLs
US20150229664A1 (en) * 2014-02-13 2015-08-13 Trevor Tyler HAWTHORN Assessing security risks of users in a computing network
CN102902917A (zh) 2011-07-29 2013-01-30 国际商业机器公司 用于预防钓鱼式攻击的方法和系统
US8799987B2 (en) * 2011-12-05 2014-08-05 Facebook, Inc. Updating system behavior dynamically using feature expressions and feature loops
EP2877956B1 (fr) 2012-07-24 2019-07-17 Webroot Inc. Système et procédé de fourniture de classification automatique de sites d'hameçonnage
US9398038B2 (en) * 2013-02-08 2016-07-19 PhishMe, Inc. Collaborative phishing attack detection
US8997232B2 (en) * 2013-04-22 2015-03-31 Imperva, Inc. Iterative automatic generation of attribute values for rules of a web application layer attack detector
US9253208B1 (en) 2015-03-05 2016-02-02 AO Kaspersky Lab System and method for automated phishing detection rule evolution

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1887754A1 (fr) * 2006-08-10 2008-02-13 Deutsche Telekom AG Système fournissant la détection précoce, alerte et réponse aux menaces électroniques
US20080162449A1 (en) * 2006-12-28 2008-07-03 Chen Chao-Yu Dynamic page similarity measurement

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
BARRACLOUGH P. A. ET AL: "Intelligent phishing detection and protection scheme for online transactions", EXPERT SYSTEMS WITH APPLICATIONS, vol. 40, no. 11, 21 February 2013 (2013-02-21), pages 4697 - 4706, XP002759574, Retrieved from the Internet <URL:http://www.sciencedirect.com/science/article/pii/S0957417413001255> [retrieved on 20160705], DOI: 10.1016/j.eswa.2013.02.009 *
RAMI M MOHAMMAD ET AL: "An assessment of features related to phishing websites using an automated technique", INTERNET TECHNOLOGY AND SECURED TRANSACTIONS, 2012 INTERNATIONAL CONFERECE FOR, IEEE, 10 December 2012 (2012-12-10), pages 492 - 497, XP032340659, ISBN: 978-1-4673-5325-0 *

Also Published As

Publication number Publication date
CN105516113A (zh) 2016-04-20
CN105516113B (zh) 2018-10-02
EP3065367B1 (fr) 2018-02-07
US9253208B1 (en) 2016-02-02
US9621570B2 (en) 2017-04-11
US20160261618A1 (en) 2016-09-08

Similar Documents

Publication Publication Date Title
US9621570B2 (en) System and method for selectively evolving phishing detection rules
Butt et al. Cloud-based email phishing attack using machine and deep learning algorithm
Parisi Hands-On Artificial Intelligence for Cybersecurity: Implement smart AI systems for preventing cyber attacks and detecting threats and network anomalies
Buber et al. NLP based phishing attack detection from URLs
HR et al. Development of anti-phishing browser based on random forest and rule of extraction framework
Shahzad et al. Detecting scareware by mining variable length instruction sequences
Chebbi Mastering machine learning for penetration testing: develop an extensive skill set to break self-learning systems using Python
Taofeek Development of a Novel Approach to Phishing Detection Using Machine Learning
Halder et al. Hands-On Machine Learning for Cybersecurity: Safeguard your system by making your machines intelligent using the Python ecosystem
US20230164180A1 (en) Phishing detection methods and systems
Hwang et al. Semi-supervised based unknown attack detection in EDR environment
JP2012088803A (ja) 悪性ウェブコード判別システム、悪性ウェブコード判別方法および悪性ウェブコード判別用プログラム
Ferreira Malicious URL detection using machine learning algorithms
Abidoye et al. Hybrid machine learning: A tool to detect phishing attacks in communication networks
Shoaib et al. An investigation in detection and mitigation of smishing using machine learning techniques
Akanchha Exploring a robust machine learning classifier for detecting phishing domains using SSL certificates
RU2580027C1 (ru) Система и способ формирования правил поиска данных, используемых для фишинга
US20220237289A1 (en) Automated malware classification with human-readable explanations
Hiremath A novel approach for analyzing and classifying malicious web pages
US20210064662A1 (en) Data collection system for effectively processing big data
Njoku et al. URL Based Phishing Website Detection Using Machine Learning.
Medelbekov et al. Machine Learning Methods for Phishing Attacks: Survey
US12132706B2 (en) Data collection system for effectively processing big data
US20220200959A1 (en) Data collection system for effectively processing big data
Sun et al. Padetective: A systematic approach to automate detection of promotional attackers in mobile app store

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20150415

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 29/06 20060101AFI20170616BHEP

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

INTG Intention to grant announced

Effective date: 20170803

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 969194

Country of ref document: AT

Kind code of ref document: T

Effective date: 20180215

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602015007898

Country of ref document: DE

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 4

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20180207

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 969194

Country of ref document: AT

Kind code of ref document: T

Effective date: 20180207

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180507

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180507

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180607

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180508

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602015007898

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20180430

26N No opposition filed

Effective date: 20181108

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180415

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180430

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180430

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180430

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180415

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180415

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180207

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180207

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20150415

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602015007898

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: H04L0029060000

Ipc: H04L0065000000

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20240229

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20240308

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20240306

Year of fee payment: 10